The Cable Guy - October 2003

Split Tunneling for Concurrent Access to the Internet and an Intranet

When a Windows-based VPN client makes a VPN connection, it automatically adds a new default route for the VPN connection and modifies the existing default route that points to the Internet to have a higher metric. Adding the new default route means that Internet locations except the IP address of the VPN server are not reachable for the duration of the VPN connection.

To prevent the new default route from being created, select Internet Protocol (TCP/IP) on the Networking tab for the properties of the VPN connection. Click Properties, and then click Advanced. In Advanced TCP/IP Settings, on the General tab, clear the Use default gateway on remote network check box. This is shown in the following figure.

When the Use default gateway on remote network check box is cleared, a default route is not created; however, a route that corresponds to the Internet address class-based network ID of the assigned IP address is created. For example, if the address assigned during the connection process is 10.0.12.119, the Windows 2000, Windows XP, and Windows Server 2003 VPN client creates a route for the class-based network ID 10.0.0.0 with the subnet mask 255.0.0.0.

Based on the Use default gateway on remote network setting, one of the following occurs when the VPN connection is active:

When the Use default gateway on remote network check box is cleared, Internet locations are reachable and intranet locations are not reachable, except for those matching the network ID of the Internet address class of the assigned IP address.

When the Use default gateway on remote network check box is selected (the default setting), all intranet locations are reachable and Internet locations are not reachable, except for the address of the VPN server and locations available through other routes.

For most Internet-connected VPN clients, this behavior does not represent a problem because they are typically engaged in either intranet or Internet communication, but not both.

For VPN clients to have concurrent access to intranet and Internet resources when the VPN connection is active, you can do one of the following:

Select the Use default gateway on remote network check box and allow Internet access through the organization intranet.

Internet traffic between the VPN client and Internet hosts passes through the organization firewalls or proxy servers as if the VPN client is physically connected to the organization intranet. Although there might be an impact on performance in accessing Internet resources, this method allows Internet access to be filtered and monitored according to organization network policies while the VPN client is connected to the organization network. For example, if organization Web proxy servers block access to certain types of Web sites Web sites, those Web sites would also be blocked when VPN clients are connected to the organization network.

If the addressing within your intranet is based on a single class-based network ID, clear the Use default gateway on remote network check box.

For example, if your intranet uses only the private IP address space 10.0.0.0/8, connecting VPN clients automatically create a 10.0.0.0/8 route over the VPN connection, making all of the locations on the organization intranet reachable.

If the addressing within your intranet is not based on a single class-based network ID, clear the Use default gateway on remote network check box and use one of the following solutions:

The Classless Static Routes DHCP option

The Connection Manager Administration Kit for Windows Server 2003

A CMD file on the VPN client

The use of these methods to provide explicit routes to intranet locations is known as split tunneling.

Using the Classless Static Routes DHCP Option

Windows 2000, Windows XP, and Windows Server 2003-based VPN clients send a DHCPInform message to the VPN server, requesting a set of DHCP options. This is done so that the VPN client can obtain an updated list of DNS and WINS servers and a DNS domain name that is assigned to the VPN connection. The DHCPInform message is forwarded to a DHCP server on the organization intranet by the VPN server and the response is sent back to the VPN client.

Windows XP and Windows Server 2003-based VPN clients include the Classless Static Routes DHCP option in their list of requested DHCP options. If configured on the DHCP server, the Classless Static Routes DHCP option contains a set of routes representing the address space of your intranet. These routes are automatically added to the routing table of the requesting client when it receives the response to the DHCPInform message and automatically removed when the VPN connection is terminated.

The Windows Server 2003 DHCP Server service supports the configuration of the Classless Static Routes option (option number 249). The following figure shows the option in the DHCP snap-in.

If your browser does not support inline frames, click here to view on a separate page.

To use the Classless Static Routes option for split tunneling, configure this option for the scope that corresponds to the intranet subnet to which the VPN server is connected. Next, add the set of routes that correspond to the summarized address space of your organization intranet. For example, if you use the private IP address space for your organization intranet, the Classless Static Routes option would have the following three routes:

10.0.0.0 with the subnet mask of 255.0.0.0

172.16.0.0 with the subnet mask of 255.240.0.0

192.168.0.0 with the subnet mask of 255.255.0.0

The Router IP address for each route added to the Classless Static Routes option should be set to the IP address of a router interface on the intranet subnet to which the VPN server is connected. For example, if the VPN server is connected to the intranet subnet 10.89.211.0/24 and the IP address of the intranet router on this subnet is 10.89.21.1, then set the Router IP address for each route to 10.89.21.1.

Using the Connection Manager Administration Kit for Windows Server 2003

You can use the Connection Manager Administration Kit for Windows Server 2003 to configure specific routes as part of the Connection Manager profile that is distributed to VPN clients. On the Routing Table Update page of the Connection Manager Administration Kit, you can:

Include a text file that contains the set of routes that summarize the address space of the organization intranet.

Specify the Uniform Resource Locator (URL) for the location of a text file on the organization intranet that is reachable by VPN clients and contains the latest set of routes that summarize the address space of the organization intranet.

You can do both, in which case the routes for the text file included in the profile are applied first, and then the routes for the text file at the specified URL are applied.

The following figure shows the Routing Table Update page.

If your browser does not support inline frames, click here to view on a separate page.

To add or delete routes, the contents of the route text file for both the version included in the profile and at the specified URL contain the following commands (using the same syntax as the Route commands):

Command DestinationmaskNetmaskdefault metric default if default

In which:

Command is add (to add a route) or delete (to delete a route).

Destination is network ID of the route.

Netmask is the subnet mask, which corresponds to the Destination that defines the network ID.

The use of default in most commands in the route text file is the recommended value for the gateway, metric, and interface parameters. When default is used, the appropriate value from the VPN client computer is used at the time of route creation. For more information about using values other than default, see the topic titled Including routing table updates in Help and Support Center for Windows Server 2003.

Another command supported by the route text file is remove_gateway, which removes the default gateway. There are no additional parameters for the remove_gateway command.

For example, to add routes for the private network address space, the route text file would contain the following:

add 10.0.0.0 mask 255.0.0.0default metric default if default

add 172.16.0.0 mask 255.240.0.0default metric default if default

add 192.168.0.0 mask 255.255.0.0default metric default if default

Note To add routes, the VPN client user account must have local administrator privileges.

Using a CMD file on the VPN client

A command file (.CMD), also known as a batch file, is created and run on the VPN client computer after the VPN connection is made. The command file contains a series of route commands that add the routes of the organization intranet to which the VPN client is connecting. The route commands use the IP address that is dynamically assigned during the connection to the VPN client computer (by the VPN server) as the gateway IP address. Therefore, you must design your command files to allow the dynamically assigned IP address as a parameter when running the command file.

For example, to add routes for the private address space, the Example.cmd file is created with the following contents:

route add 10.0.0.0 mask 255.0.0.0%1

route add 172.16.0.0 mask 255.240.0.0%1

route add 192.168.0.0 mask 255.255.0.0%1

To correctly run this command, the VPN client user must first determine the IP address assigned to the VPN connection. You can do this by running ipconfig at a command line or by double-clicking the VPN connection in the Network Connections folder when the VPN connection is active. In the resulting Status dialog box, click the Details tab. The VPN client's assigned IP address is listed as Client IP address. An example is shown in the following figure.

After the VPN client's assigned IP address is determined, the Example.cmd file is executed with the IP address as a parameter. For example, for the VPN client with the assigned IP address of 192.168.99.211, the command run at the command line is:

example 192.168.99.211

You can also use other methods, such as Visual Basic, to obtain the VPN client's assigned IP address programmatically and add the routes.

Note To add routes, the VPN client user account must have local administrator privileges.

Split-tunneling Security Issues

When a VPN client computer is connected to both the Internet and a private intranet and has routes that allow reachability to both networks, the possibility exists that a malicious Internet user might use the connected VPN client computer to reach the private intranet through the authenticated VPN connection. This is possible if the VPN client computer has IP routing enabled. IP routing is enabled on Windows XP-based computers by setting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Tcpip \Parameters\IPEnableRouter registry entry to 1 (data type is REG_DWORD).

If you must use split tunneling, you can help prevent unwanted traffic from the Internet by doing the following:

Use the Network Access Quarantine Control feature in Windows Server 2003 to check whether connecting VPN clients have IP routing enabled and, if so, do not allow VPN access until it has been disabled. For more information, see Network Access Quarantine Control (the February 2003 Cable Guy article).

Use IP packet filters on the VPN remote access policy profile to discard both inbound traffic on the VPN connection that has not been sent from the VPN client and outbound traffic that is not destined to the VPN client. The default remote access policy named Connections to Microsoft Routing and Remote Access server in Windows Server 2003 has these packet filters configured by default.

Note Using the above methods does not prevent unwanted traffic if a malicious Internet user is remotely controlling the VPN client computer. To prevent this, ensure that the VPN client computer has a firewall enabled (such as Internet Connection Firewall in Windows XP) and an anti-virus program installed and running with the latest virus signature file installed. These are also settings that can be checked and enforced when using Network Access Quarantine Control.